Troubleshooting with the Windows Sysinternals Tools

Series
Microsoft Press
Author
Mark E. Russinovich / Aaron Margosis  
Publisher
Microsoft Press
Cover
Softcover
Edition
2
Language
English
Total pages
608
Pub.-date
October 2016
ISBN13
9780735684447
ISBN
0735684448
Related Titles


Product detail

Product Price CHF Available  
9780735684447
Troubleshooting with the Windows Sysinternals Tools
61.30 approx. 7-9 days

Description

The Sysinternals utilities are indispensable and very popular tools for diagnosing, troubleshooting, and researching the Windows platform. Troubleshooting with the Windows Sysinternals Tools, Second Edition, is the most accurate and complete reference for these utilities and includes an expanded “Case of the Unexplained” section that illustrates their use, detailed coverage of new tools and updated features in existing tools, and a “Procmon and ProcDump, Better Together” feature demonstrating new capabilities that the tools now enable in each other.

Features

  • Process Explorer, Process Monitor, and 70 other powerful (and free!) utilities
  • Applicable to all technical roles on Windows, including hobbyists, developers, and researchers
  • Includes an expanded “Case of the Unexplained," detailed coverage of new tools and updated features in existing tools, and a “Procmon and ProcDump, Better Together” feature demonstrating new capabilities that the tools now enable in each other

New to this Edition

This Second Edition has been thoroughly updated to reflect new Sysinternals tools and updated features in existing tools. It contains an expanded "Case of the Unexplained" section illustrating these tools at work, and a new "Procmon and ProcDump, Better Together" feature demonstrating capabilities Procmon and ProcDump now enable in each other.

Table of Contents

Part I    Getting started

Chapter 1 Getting started with the Sysinternals utilities  

Overview of the utilities

The Windows Sysinternals website

Sysinternals license information


Chapter 2 Windows core concepts  

Administrative rights

Processes, threads, and jobs

User mode and kernel mode

Handles

Application isolation

Call stacks and symbols

Sessions, window stations, desktops, and window messages


Chapter 3 Process Explorer   

Procexp overview

Main window

DLLs and handles

Process details

Thread details

Verifying image signatures

VirusTotal analysis

System information

Display options

Procexp as a Task Manager replacement

Miscellaneous features

Keyboard shortcut reference


Chapter 4 Autoruns    

Autoruns fundamentals

Autostart categories

Saving and comparing results

AutorunsC

Autoruns and malware


Part II   Usage guide

Chapter 5 Process Monitor

Getting started with Procmon

Events

Filtering, highlighting, and bookmarking

Process Tree

Saving and opening Procmon traces

Logging boot, post-logoff, and shutdown activity

Long-running traces and controlling log sizes

Importing and exporting configuration settings

Automating Procmon: command-line options

Analysis tools

Injecting custom debug output into Procmon traces

Toolbar reference


Chapter 6 ProcDump  

Command-line syntax

Specifying which process to monitor

Specifying the dump file path

Specifying criteria for a dump

Monitoring exceptions

Dump file options

Miniplus dumps

ProcDump and Procmon: Better together

Running ProcDump noninteractively

Viewing the dump in the debugger


Chapter 7 PsTools

Common features

PsExec

PsFile

PsGetSid

PsInfo

PsKill

PsList

PsLoggedOn

PsLogList

PsPasswd

PsService

PsShutdown

PsSuspend

PsTools command-line syntax

PsTools system requirements


Chapter 8 Process and diagnostic utilities  

VMMap

DebugView

LiveKd

ListDLLs

Handle


Chapter 9 Security utilities                                             

SigCheck

AccessChk

Sysmon

AccessEnum

ShareEnum

ShellRunAs

Autologon

LogonSessions

SDelete


Chapter 10  Active Directory utilities

AdExplorer

AdInsight

AdRestore


Chapter 11  Desktop utilities

BgInfo

Desktops.

ZoomIt


Chapter 12  File utilities  

Strings

Streams

NTFS link utilities

Disk Usage (DU)

Post-reboot file operation utilities


Chapter 13  Disk utilities

Disk2Vhd

Sync

DiskView

Contig

DiskExt

LDMDump

VolumeID


Chapter 14  Network and communication utilities  

PsPing

TCPView

Whois


Chapter 15  System information utilities   

RAMMap

Registry Usage (RU)

CoreInfo

WinObj

LoadOrder

PipeList

ClockRes


Chapter 16  Miscellaneous utilities   

RegJump

Hex2Dec

RegDelNull

Bluescreen Screen Saver

Ctrl2Cap


Part III Troubleshooting—“The Case of the
Unexplained…”


Chapter 17  Error messages  

Troubleshooting error messages

The Case of the Locked Folder

The Case of the File In Use Error

The Case of the Unknown Photo Viewer Error

The Case of the Failing ActiveX Registration

The Case of the Failed Play-To

The Case of the Installation Failure

The Case of the Unreadable Text Files

The Case of the Missing Folder Association

The Case of the Temporary Registry Profiles

The Case of the Office RMS Error

The Case of the Failed Forest Functional Level Raise


Chapter 18  Crashes

Troubleshooting crashes

The Case of the Failed AV Update

The Case of the Crashing Proksi Utility

The Case of the Failed Network Location Awareness Service 

The Case of the Failed EMET Upgrade

The Case of the Missing Crash Dump

The Case of the Random Sluggishness


Chapter 19  Hangs and sluggish performance

Troubleshooting hangs and sluggish performance

The Case of the IExplore-Pegged CPU

The Case of the Runaway Website

The Case of the Excessive ReadyBoost

The Case of the Stuttering Laptop Blu-ray Player

The Case of the Company 15-Minute Logons

The Case of the Hanging PayPal Emails

The Case of the Hanging Accounting Software

The Case of the Slow Keynote Demo

The Case of the Slow Project File Opens

The Compound Case of the Outlook Hangs


Chapter 20  Malware   

Troubleshooting malware

Stuxnet

The Case of the Strange Reboots

The Case of the Fake Java Updater

The Case of the Winwebsec Scareware

The Case of the Runaway GPU

The Case of the Unexplained FTP Connections

The Case of the Misconfigured Service

The Case of the Sysinternals-Blocking Malware

The Case of the Process-Killing Malware

The Case of the Fake System Component

The Case of the Mysterious ASEP


Chapter 21  Understanding system behavior

The Case of the Q: Drive

The Case of the Unexplained Network Connections

The Case of the Short-Lived Processes

The Case of the App Install Recorder

The Case of the Unknown NTLM Communications


Chapter 22  Developer troubleshooting   

The Case of the Broken Kerberos Delegation

The Case of the ProcDump Memory Leak

  

 

Author

Mark Russinovich is Chief Technology Officer of Microsoft Azure, where he oversees the technical strategy and architecture of Microsoft’s cloud computing platform. He is a widely recognized expert in distributed systems, operating system internals, and cybersecurity. He is the author of the Jeff Aiken cyberthriller novels, Zero Day, Trojan Horse, and Rogue Code, and co-author of the Microsoft Press Windows Internals books. Russinovich joined Microsoft in 2006 when Microsoft acquired Winternals Software, the company he cofounded in 1996, as well as Sysinternals, where he authors and publishes dozens of popular Windows administration and diagnostic utilities. He is a featured speaker at major industry conferences, including Microsoft Ignite, Microsoft //build, RSA Conference, and more.

Aaron Margosis is a Principal Consultant with Microsoft’s Global Cybersecurity Practice, where he has worked with security-conscious customers since 1999. Aaron specializes in Windows security, least-privilege, application compatibility, and the configuration of locked-down environments. He is a top speaker at Microsoft conferences, and created many of the tools commonly used by organizations implementing high-security environments, including LUA Buglight, Policy Analyzer, IE Zone Analyzer, LGPO.exe (Local Group Policy Object utility), and MakeMeAdmin, which can be downloaded through his blog (https://blogs.msdn.microsoft.com/aaron_margosis) or through two team blogs for which he is a primary author (https://blogs.technet.microsoft.com/fdcc and https://blogs.technet.microsoft.com/SecGuide).